List files from webserver

[Ruberducky]

Hi,

Is there a way to 'list' all the files on a webserver?
With other words are other people to see all the files on my server?
And how would they do that?

Thanks

[nothingofvalue]

Not really, unless you have something setup incorrectly. If you are using shared hosting then they should have it all set up to prevent "browsing" but if you make a really drastic error then it could lead to an open directory. One such error would be forgetting to include a file named "index.htm" or similar if that is the filename specified in the httpconf file.

Conversly, people usually can browse subfolders. In other words, generally you cannot go to www.xyz.com and see everything that is in the directory, however, you can probably go to www.xyz.com/images/ and see a list of the files in that directory. This type of browsing can also be disabled, I believe.


One could crawl your site with software and get a pretty good idea of what is there, that's exactly what search engines do.

[mendhak]

I have allowed for directory browsing on some of the folders on my site, but the others, I simply protect by placing a blank (or annoying) index.html page there. For example, take a look at http://www.mendhak.com/images/

I've only 'placed' the images there that I am OK with others seeing, but not all the images.

[nothingofvalue]

yeah I have seen that done and it seems that is all you need to do to prevent directory browsing, however, I don't have anything worth browsing on my site so I never bother

[Ruberducky]

But i think I once had a piece of software that listed all the files.
Do you know the name of software that could do it? Even with an index.htm(l)

[mendhak]

Windows Explorer?

I am really not sure if such a software could exist, commercially of course. It would be a huge security issue. Imagine gaining access to sensitive files for members only on whatever sites.

Was it a hacking tool by any chance? Like Back Orifice?

[Ruberducky]

Well i dont think it was hackign because i did not brute force any password or so, i could not edit the pages to, just see a list.

Or is there a hack to list files without bruteforcing a pass?

[visualAd]

Directory listing can be enabled on a per directory basis in both IIS and Apache. If it has been disabled, there is no way of listing the contents of the directory. There is also an extension to the HTTP protocol called WEBDAV, which also enables fle to be uploaded and deleted from the server, again, these must be enabled.

Or course, if someone takes advantage of an exploit in the server software, there is a posibility they can gain access to the system and to other untoward things.